Abstract

Peer-to-peer (P2P) botnets have emerged as one of the serious threats to Internet security. To prevent effectively P2P botnet, in this paper, a mathematical model which combines the scale-free trait of Internet with the formation of P2P botnet is presented. Explicit mathematical analysis demonstrates that the model has a globally stable endemic equilibrium when infection rate is greater than a critical value. Meanwhile, we find that, in scale-free network, the critical value is very little. Hence, it is unrealistic to completely dispel the P2P botnet. Numerical simulations show that one can take effective countermeasures to reduce the scale of P2P botnet or delay its outbreak. Our findings can provide meaningful instruction to network security management.

1. Introduction

A botnet is a network of thousands of compromised computers (bots) under the control of botmaster, which usually recruits new vulnerable computers by running all kinds of malicious software, such as Trojan horses, worms, and computer viruses [1]. For nefarious profits, the botnetmaster which operates a botnet manipulates remotely zombie computers to work on various malicious activities, such as distributed denial-of-service attacks (DDoS), email spam, and password cracking. Nowadays, botnets have become one of the most serious threats to Internet.

According to operating mechanism of botnets, there are two kinds of botnets. One is the traditional botnet using Internet relay chat (IRC) as a form of communication for centralized command and control (C&C) structure (see Figure 1 [2]). The other is peer-to-peer botnet utilizing a distributed command-and-control structure (see Figure 2 [2]). Traditional botnets are easily checked and cracked by defenders, and the threats of botnets can be mitigated and eliminated if the central of C&C is unavailable [3]. By contrast, P2P botnets employing a decentralized command-and-control structure are more robust and are much harder for security community to dismantle [4]. Therefore, P2P botnets, such as Trojan.Peacomm and Storm botnet [5], have emerged and gradually escalated in recent years. Moreover, P2P botnets are increasingly sophisticated and thus their potential damage is much greater than traditional botnets. Further, the potential for more damage exits in the future.

Figure 1: Centralized botnet.

Figure 2: P2P botnet.

Therefore, threats of P2P botnets to Internet security have drawn widespread attention [6–12]. Yan et al. [6] mathematically analyzed the performance of Antbot—a new type of P2P botnets—from the perfectives of resilience, reachability, and scalability, and the authors developed a distributed P2P botnet simulator to evaluate the effectiveness of Antbot against pollution-based mitigation in practice. Kolesnichenko et al. [7] developed the mean-field model to analyze behaviors of P2P botnet and compared it with simulations obtained from the Mobius tool (a software tool for modeling the behavior of complex systems). Results show that the mean-field method is much faster than simulation for predicting the behavior of P2P botnet. van Ruitenbeek and Sanders [8] presented a stochastic model of Storm Worm P2P botnet to examine how different factors, such as the removal rate and the initial infection rate, impact the total propagation bots. To be well prepared for future botnet attacks, Wang et al. [9] studied advanced botnet attack techniques that could be developed by botmasters in the future and proposed the design of an advanced hybrid P2P botnet. Results show that a honeypot, in computer terminology, is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers—play an important role to defend against an advanced botnet.

Nevertheless, few people studied the dynamical behaviors of P2P botnets. In [7], the authors proposed a mean-field model of P2P botnet, but the model has not been analyzed mathematically. In fact, explicit mathematical analysis contributes to understand deeply the prevalent characteristics of P2P botnet. Aiming at describing the dynamics of P2P botnets in a more effective way, in this paper, we employ the dynamical model of computer worms, which has been widely used by many researchers to study Internet malware propagation [13–22]. As many botnets are created by computer worms [23], it is reasonable to describe the prevalence of P2P botnets with the model of worm propagation. In addition, by analyzing data from real computer virus epidemics, the authors [24] pointed out the importance of incorporating the peculiar topology of scale-free network in the theoretical description of computer worm propagation. In biological epidemic areas, there is much valuable research which considers the effect of complex network on pathophoresis [25, 26]. However, we have not seen the report which considers the effect of complex network on prevalence of P2P botnet. Hence, it is necessary to examine the effect of the topology of the network on the propagation of P2P botnet.

In this paper, the dynamics of leaching P2P botnets are investigated. In a leaching P2P botnet, botmasters recruit new zombies on the Internet. For constructing this kind of P2P botnet, there are two steps: the first step is trying to infect new vulnerable hosts throughout the Internet, and the second step is newly compromised hosts joining the botnet and connecting with other bots [2]. In SF network, taking into account the heterogeneity induced by the hosts with different degree , we divide the hosts into different states where the hosts in each state have the same degree .

2. The Model

To model the propagation of the P2P botnet on the Internet, we assume that the total number of nodes on Internet is a constant . Each node changes over time among four states: susceptible , exposed , infected , and recovered due to the spread of computer worm. We describe these four states in detail as follows.(1)Susceptible : a node has the software vulnerability that the bot program can exploit.(2)Exposed : a node has been infected by the bot program, but it has not become a member of P2P botnet.(3)Infected : a node is a formal member of P2P botnet, which means the node can infect its neighbors with the bot program.(4)Removed : a node has installed a detection tool that can identify and remove the bot program, or a node has installed a software patch to eliminate the node vulnerability exploited by the bot program.

There are five state transitions among these four states.(1)Propagating the bot program: nodes in the “susceptible” state will change to the “exposed” state with the infection rate .(2)Joining the P2P botnet from exposed state: nodes in the “exposed” state will join the P2P botnet under the control of the botmaster and change to “infected” state at the proportion .(3)Immunizing nodes from susceptible state: nodes in the “susceptible” state will change to the “recovered” state at the proportion if corresponding nodes take countermeasures, for example, antivirus software, patching, firewall, and intrusion detection system (IDS). The immune rate is affected by many factors, for example, user vigilance.(4)Immunizing nodes from exposed state: nodes in the “exposed” state will change to the “recovered” state at the proportion if corresponding nodes take antivirus countermeasures.(5)Immunizing nodes from infected state: nodes in the “infected” state will change to the “recovered” state at the proportion if corresponding nodes take antivirus countermeasures.

Let , , , and be the number of degree in states , , , and at time , respectively. Then one has
The dynamic equations can be written as
where the probability describes a link pointing to an infected host, which satisfies the relation
and is the density of infected hosts in the whole network at time ; is a degree distribution. Other parameters can be explained as follows. is the replacement rate of the hosts per hour; is infection rate per hour; is the state transition rate from to due to immune measures; is the recovery rate from exposed state and infected state , respectively; and is transition rate from to .

3. Model Analysis

In this subsection, we solve the equilibria of system (2) and investigate their stability.

The first three equations in system (2) do not depend on the fourth equation, and, therefore, this equation may be omitted without loss of generality. Hence, system (2) can be rewritten as
The equilibria of system (7) are determined by setting

There is always a disease-free equilibrium (DFE) . Furthermore, solving the endemic equilibrium of (5), one can obtain , where
Substituting into (3), we have
Obviously, if the endemic equilibrium exists, there must be . That is, it must satisfy
and it equals
Let be the minimum value of satisfying the above inequality. Then,
that is
where .

Hence,
Summarizing the above analysis, one can get the following theorem.

Theorem 1. If , then system (4) has only one free-equilibrium ; if , then system (4) has endemic-equilibrium except .In what follows, the endemic-equilibrium point will be analyzed.The Jacobian matrix of system (4) at is
and the associated characteristic equation is
where
According to Hurwitz criteria [27],
Hence, one can obtain the following lemmas.

Lemma 2. For system (4), if and hold, then the endemic-equilibrium is locally asymptotically stable.For depicting the globally asymptotical stability of , firstly, one can introduce three preliminary results.

Lemma 3 (see [28, 29]). Suppose that the initial relative infected density satisfies . Then, for all , the solution of system (4) satisfies and .

Proposition 4 (see [28, 29]). Suppose that the solution of system (4) satisfies and , where and . Then,

The proofs of the above conclusions are similar to those presented in [28, 29]. Here, we will omit them.

Next, main results will be presented.

Lemma 6. Suppose that the initial relative infected densities satisfy and . Then, the solution of system (4) satisfies , , and , where are the unique nonzero stationary points of system (4).The proof is completed in the appendix

Combining Lemma 2 with Lemma 6, one can conclude the following conclusion.

Theorem 7. If the endemic-equilibrium exists, then it is globally asymptotically stable.

4. Numerical Analysis and Control Strategies

4.1. Numerical Examples

In this subsection we present the results of numerical experiments investigating the effectiveness of theoretic analysis. In order to observe the effects of parameters on transmission process, we use system (4) to simulate the evolution behavior of P2P botnet for given parameters on SF network with and . Here, we set the parameter values of system (4) which are, respectively, , , , , and . By calculation, one can obtain . Figures 3 and 4 show the simulation results with and , respectively, which are consistent with theoretical analysis.

From the conclusion of Theorem 7, we learn that it is necessary for eliminating P2P botnet on the Internet to let by corresponding countermeasures. Meanwhile, the simulation results show that the critical value of infection is very little, and this means that it is difficult to destroy completely the P2P botnet in reality.

4.2. Control Strategies

In what follows, we consider mainly the effect of the real-time immune measurement and antivirus software on the scale of the P2P botnet.(i)For fixed model parameters, , , , , and , we investigate the effect of different real-time immunity () on the scale of P2P botnet. Simulation result is depicted in Figure 5. From Figure 5, it can be observed that enhancing real-time immune measures contributes to reduce the scale of P2P botnet and delay its outbreak. Hence, it is strongly advised that network users should install patches for bugs in time and update antivirus software to the latest version.(ii)For fixed model parameters, , , , , and , we investigate the effect of antivirus software () on the scale of P2P botnet. Simulation results are depicted in Figure 6. The profile of Figure 6 demonstrates that the larger percent conversion from to there is, the bigger scale a P2P botnet has. Thus, it is proposed that malware is killed when the node is infected by the bot program but does not join botnet.

Figure 5: An illustration of the impact of real-time immune measure () on the density of infected nodes.

Figure 6: An illustration of the impact of antivirus software () on the density of infected nodes.

Additionally, the effect of average degree on prevalent behavior of P2P botnet is depicted in Figure 7. From Figure 7, we find that the scale of P2P botnet will increase when becomes larger. So decreasing the average degree of network can also control the massive outbreak of P2P botnet.

Figure 7: An illustration of the impact of average degree on the density of infected nodes.

5. Conclusions

As a new kind of attack platform to network security, P2P botnets have attracted considerable attention. Research is necessary to fully understand the threat and prepare to defend against it. To better exploit the spreading behavior of P2P botnet, in this paper, we present a mathematical model of creation of P2P botnet, which combines the scale-free character of Internet with the formation trait of P2P botnet. Hence, the model can portrait more accurately the dynamical features of P2P botnet propagation. Theoretical analysis shows that the model has a globally stable endemic equilibrium. The influence of some parameters to the scale of P2P botnet has been investigated. Simulation results demonstrate that it is difficult to destroy completely the P2P botnet in reality. This is the reason that many malwares saturate to a very low level of persistence [30]. However, Figures 6 and 7 show that we can reduce the scale of P2P botnet and delay its outbreak by efficient countermeasures, such as real-time immunity or autorunning of antivirus software.

The dynamical model we present could be extended to study the growth possibilities of P2P botnets in future work. The model is also possible to predict how botnetmasters could create more potent and aggressive botnets. Such predictions could ultimately be useful to antimalware developers as well.

Appendix

Proof of Lemma 6. Substituting (3)into , we can obtain
Let , and define the following sequence:
Then, according to Lemma 3, for , . By applying Proposition 4, we obtain
In what follows, consider the convergence of the sequence defined in (A.2). By (A.2), for all . If for all , then it is easy to obtain .By induction, for all , the sequence is decreasing, so its limit exists, denoted by . Then it is easy to show that .On the other hand, substituting (A.1) into (3), we can get the following equation:
From (7), , so by letting , one can obtain that and . By the definition of derivative, if is sufficiently small, then .According to Proposition 5, we can take such that, for all .Let
we have
If for all , it is easy to obtain .Thus, by induction, for each , the sequence is increasing, so its limit exists, denoted by . Thus, it is easy to verify that .Both and are positive stationary points of system (4). Therefore, by the uniqueness of the positive stationary point of the differential equation, we have and ; that is, .Substituting into (5), we will obtain and .Lemma 6 is proven.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (61379125), Program for Basic Research of Shan’xi Province (2012011015-3), Higher School of Science and Technology Innovation Project of Shan’xi Province (2013148), Key Construction Disciplines of Xinzhou Teachers University (ZDXK201204, XK201307), Research Project of Chongqing University of Science and Technology (CK2013B15), and Research Program of Chongqing Municipal Education Commission (KJ131401).